PfP: Pain-free Passwords 2.0.0

This is the first release under the new name “PfP: Pain-free Passwords,” previous releases went as “Easy Passwords.” This release also introduces significant updates to the cryptography powering the extension:

All metadata saved by the extension as well as backups are now encrypted (issue #47).

Password generation now uses scrypt algorithm rather than PBKDF2, making guessing the master password even harder (issue #58).

AES-GCM algorithm is used for encryption rather than AES-CBC (issue #47).

What this means for users

There will be a six months transitional period:

Passwords generated with the old algorithm are still supported, you have to check “Easy Passwords 1.x password” when recreating them however. Once the transitional period is over, these passwords will be converted into stored passwords, recreating them will no longer be possible.

Unencrypted backups can still be imported. You should create new backups however, importing unencrypted backups will not be possible once the transitional period is over.

Side-effects of the cryptography update

All Passwords page can no longer work without a master password and will ask for it if necessary.

Password notes will now be displayed directly instead of the message “Notes encrypted and saved,” no separate decryption step necessary for notes. Showing them on the All Passwords page is optional (issue #65).

Importing backups created with a different master passwords will fail completely rather than produce a bogus partial result.

Other changes

All Passwords page will now contain a recovery code for stored passwords. It is safe to print and allows recovering the password if entered into PfP later, assuming that the same master password is still used (issue #64).

LastPass export files can now be imported just like PfP’s own backups (issue #26).